A security researcher who voluntarily canceled a talk about critical holes in Siemens' industrial control systems has criticized the German company for downplaying the severity of his findings.
“The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email …

How would you propose to operate a SCADA system without a network?

(The transfer of magic electrons not withstanding).

Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network.

The root cause here is the long term belief in the systems integration industry that control systems were so specialized that no one would ever make the effort to specifically target it. As such even the simplest of security restrictions were ignored for most of the industry's history. I work in this industry and any "focus" on security is about 5-10 years behind the curve.

Siemens may be unfairly catching the brunt of the publicity (they are by no means the only OEM with security issues), but their special conditions argument is marketing BS.

@Battsman

"Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. "

You appear to equate the internet as the *only* Wide Area Network in existence, and therefor the network *all* SCADA control system *have* to connect to.

If so you're *very* mistaken. SCADA systems have been around since at *least* the 1930s. For most of that time they operated either through leased lines running supplier provided protocols or the telephone system, again running typically proprietary protocols.

It is only *fairly* recently that the mantra lower costs ->standard protocols ->eliminate *private* networks -> transmit/receive *everything* over the internet has spread like a fungus through utility and other networks. While keeping SCADA data on a *physically* separate network (retaining TCP/IP for cost) would not stop *all* of this it would make a hell of a difference.

"I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network"

Here's your problem...

Great plan...

Great plan... Yes, blame Microsoft for the problem of a lack of interest in basic security practices in the systems integration industry. Any OS can be targeted - especially if the implementer isn't even remotely concerned about basic security procedures.

Rigging the rules

Was not Siemens, a decade or so ago, accused of strong-arming the framing of EU specifications for data transmission protocols in industrial control systems? This was said to have put several of their competitors, whose systems consequently became 'non-compliant', at something of a disadvantage.

The trade magazine 'Control and Instrumentation', as I recall, covered this issue in some depth. Do any other readers remember more detail?

Say what?!

> the bugs “were discovered while working under special laboratory conditions with unlimited access to protocols and controllers.”

So Seimens are complaining that he discovered the flaws because he had access to a controller? That he bought? Did I miss something? Whio cares how he discovered them, it's how they are exploitable that is the issue. If you need to be under lab conditions to exploit then fair do's, however it seems not to be the case.

Next - Nokia sue consumer who discovered his latest phone was crap when he had unlimited access to it (i.e. he took it home from the shop where he bought it)

umm Siemens

You might not want to play the Sony security card as it tends to keep you in the headlines for all the wrong reasons. Watch next like Sony instead of fixing their security they will sick their lawyers on the security research community. If it burns when you pee don't tell anyone and it will go away.

«My personal apartment on the wrong side of town

where I can hear gunshots at night hardly defines a special laboratory.» Mr Beresford seems to live in the Austin, Texas area ; given the situation he describes, one wonders if he might not want to consider removing to a calmer area....

"Any OS can be targeted"

That's easy to say, and easy for the certified Microsoft dependent and the PHB to believe, but the reality is that with something more sensible than Window boxes in the SCADA picture, propagating Stuxnet around the world would have been a great deal more difficult.

Something Stuxnet-like may not have been completely impossible on a more robust OS than Windows, especially given some of Siemens particularly flawed practices (default passwords?) but as the saying goes, "every little helps". Getting Windows out of the picture would have been more than a little helpful.

For full details of how Stuxnet propagated and interacted with the Siemens software, have a look at www.langner.com. The PC AV companies (Symantec included) don't have much of a clue about Siemens, even if they are good at PR.